--On July 23, 2010 11:00:21 AM -0700 reg <[email protected]> wrote:
I am trying to write a custom active response based upon the
instructions here.
http://www.ossec.net/wiki/Know_How:CustomActiveResponses
To test, I copied this text exactly and ran it on the server no
problem. However, I would
like to have this script ran on a remote host. To test, I copied the
script to a remote host, added
it to the /var/ossec/active-response/bin directory, checked the
permissions, then modified the
script to only execute this:
echo "test" |mail $MAILADDRESS -s "OSSEC Alert"
If this is the only contents of the active responce it will always fail.
The variable $MAILADDRESS is created far earlier in the script.
Use the full script from the we page
<http://www.ossec.net/wiki/Know_How:CustomActiveResponses#3-Create_active_response_script>
and just change line 5 MAILADDRESS="[email protected]"
I have verified that the rule I am using to test work, I do see the
alerts coming in. However, the active-response
is not kicking off on the remote host and I am not sure why. I turned
on debug=2 for the agent on both the OSSEC
server and the client I am trying to kick off the action, but nothing
is coming up.
Here is my command and active response configuration. Even though I do
not need any data from the rule itself, the
<expect> tags were required for OSSEC to start, but that's another
issue(I think).
<command>
<name>mailtest</name>
<executable>mailtest.sh</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>svncheck</command>
<location>defined-agent</location>
<agent_id>349</agent_id>
<rules_id>5712</rules_id>
</active-response>
Can someone give me an idea what I am doing wrong, or some way to turn
on further debugging to locate where this is dying?
-R
